Sources
CVE-2026-26118: Azure MCP Server SSRF Allows Managed Identity Token Theft — Patched March 10
A CVSS 8.8 server-side request forgery bug in Microsoft's Azure MCP Server lets an authenticated attacker substitute a malicious URL for any Azure resource identifier, causing the MCP server to make outbound requests with its managed identity token attached — handing the attacker valid credentials to traverse other Azure resources. This makes it an effective lateral movement vector in any agentic deployment touching Azure services, since the MCP server's identity typically has broad resource access. Patched in March Patch Tuesday on March 10; Azure MCP Server deployments before that date should audit for potential credential exposure.
Source
↳ Follow the thread